squid configuration manual 30

Squid 3.0 Configuration Manual Support and Queries to E-mail [email protected] Home Page: http://www.visolve.co...

1 downloads 70 Views 5MB Size
Squid 3.0 Configuration Manual Support and Queries to E-mail [email protected]

Home Page: http://www.visolve.com

Disclaimer: This manual is NOT a Squid tutorial. It does not, for example, takes the reader through step-by-step details of Squid installation and configuration. The objective of this manual is to explain, in as much detail as possible, every configuration parameter available in Squid 3.0. As such, the reader is required to have prior knowledge of basic Squid installation and configuration. The details presented in this manual are in the nature of reference material. For a complete tutorial on Squid, please visit http://www.squid-cache.org

NOTE: 1. Squid 3.0 is NOT a stable version. 2.

says newly added directives to squid 2.4 Stable x

Table of Contents 1. Network Parameters 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.

http_port https_port ssl_unclean_shutdown ssl_engine sslproxy_client_certificate sslproxy_client_key sslproxy_version sslproxy_options sslproxy_cipher sslproxy_cafile sslproxy_capath

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.

acl http_access http_reply_access icp_access miss_access cache_peer_access ident_lookup_access tcp_outgoing_tos tcp_outgoing_address reply_body_max_size log_access

sslproxy_flags icp_port

9. Administrative parameters

htcp_port mcast_groups udp_incoming_address udp_outgoing_address

2.Options which affect the neighbour selection algorithm 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.

8. Access controls

1. 2. 3. 4. 5. 6.

cache_mgr cache_effective_user cache_effective_group visible_hostname unique_hostname hostname_aliases

cache_peer cache_peer_domain

10. Options for cache registration services

neighbor_type_domain icp_query_timeout maximum_icp_query_timeout minimum_icp_query_timeout mcast_icp_query_timeout dead_peer_timeout hierarchy_stoplist no_cache background_ping_rate

3. Options which affect the cache size 1. cache_mem 2. cache_swap_low 3. cache_swap_high

1. 2. 3. 4.

announce_period announce_host announce_port announce_file

11. Miscellaneous 1. 2. 3. 4. 5. 6. 7.

dns_testnames logfile_rotate append_domain tcp_recv_bufsize err_html_text email_err_data deny_info

4. 5. 6. 7. 8. 9. 10. 11. 12.

maximum_object_size minimum_object_size maximum_object_size_in_memory ipcache_size ipcache_low ipcache_high fqdncache_size cache_replacement_policy memory_replacement_policy

4. Logfile pathnames and cache directory 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16.

cache_dir logformat access_log cache_log cache_store_log cache_swap_log emulate_httpd_log log_ip_on_direct mime_table log_mime_hdrs useragent_log referer_log pid_filename debug_options log_fqdn client_netmask

5. Options for external support programs 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

ftp_user ftp_list_width ftp_passive ftp_sanitycheck check_hostnames cache_dns_program

8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42.

memory_pools memory_pools_limit via forwarded_for log_icp_queries icp_hit_stale minimum_direct_hops minimum_direct_rtt cachemgr_passwd store_avg_object_size store_objects_per_bucket client_db netdb_low netdb_high netdb_ping_period query_icmp test_reachability buffered_logs reload_into_ims always_direct never_direct header_access header_replace icon_directory error_directory maximum_single_addr_tries snmp_port snmp_access snmp_incoming_address snmp_outgoing_address as_whois_server wccp_router wccp_version wccp_incoming_address wccp_outgoing_address

12. Delay pool parameters

dns_children dns_retransmit_interval dns_timeout dns_defnames dns_nameservers hosts_file diskd_program unlinkd_program pinger_program redirect_program redirect_children redirect_concurrency

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.

delay_pools delay_class delay_access delay_parameters delay_initial_bucket_level incoming_icp_average incoming_http_average incoming_dns_average min_icp_poll_cnt min_dns_poll_cnt min_http_poll_cnt

19. 20. 21. 22. 23. 24. 25.

redirect_rewrites_host_header redirector_access auth_param authenticate_cache_garbage_interval authenticate_ttl authenticate_ip_ttl external_acl_type

6. Options for tuning the cache 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

wais_relay_host wais_relay_port request_header_max_size request_body_max_size refresh_pattern quick_abort_min quick_abort_max quick_abort_pct read_ahead_gap negative_ttl positive_dns_ttl negative_dns_ttl range_offset_limit

7. Timeouts 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

connect_timeout peer_connect_timeout read_timeout request_timeout persistent_request_timeout client_lifetime half_closed_clients pconn_timeout ident_timeout shutdown_lifetime

12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44.

max_open_disk_fds offline_mode uri_whitespace broken_posts mcast_miss_addr mcast_miss_ttl mcast_miss_port mcast_miss_encode_key nonhierarchical_direct prefer_direct strip_query_terms coredump_dir redirector_bypass ignore_unknown_nameservers digest_generation digest_bits_per_entry digest_rebuild_period digest_rewrite_period digest_swapout_chunk_size digest_rebuild_chunk_percentage chroot client_persistent_connections server_persistent_connections pipeline_prefetch extension_methods request_entities high_response_time_warning high_page_fault_warning high_memory_warning store_dir_select_algorithm ie_refresh vary_ignore_expire sleep_after_fork

NETWORK PARAMETERS Network parameters control network configuration, e.g. communication ports, secure network access and options, SSL options, inter-cache communication, multicast ICP queries etc.

TAG NAME Description Build Option Usage

http_port Port where Squid will listen for clients http requests Default http_port port [options] http_port hostname:port [options] http_port ip_adderss:port [options] none

Default

Synopsis This parameter allows the user to define the address on which Squid will listen for client's http requests. This is a required parameter, and there are no defaults. Without this configuration, Squid will never start.

Arguments port

Port to which Squid will bind the socket

hostname

hostname to which Squid will bind the socket

ip_address

ip_address to which Squid will bind the socket

When a hostname or IP address is specified (as shown in variations 2 and 3 above), Squid binds the socket to that specific address. Note: The http_port parameter may be specified multiple times, with different addresses each time. This will cause Squid to listen on multiple ports. Options are arguments that further control the behavior of the Squid proxy. The supported values are explained in the table below: Options

Functions

accel

Configure Squid in accelerator mode

transparent

Configure Squid as transparent proxies

vhost

Accelerator using virtual hosts

vport

Accelerator with virtual ip host support

vport=NN

As above, but uses specified port number rather than the http_port number.

defaultsite=xx Main web site name for accelerators. also implies accel option protocol=

Protocol to reconstruct accelerated requests with. Defaults to http.

Example(s) http_port 3128 http_port 172.16.1.53:3300 http_port 172.16.1.53:80 accel defaultsite=visolve.com http_port 3128 transparent

TAG NAME

https_port

Description Build Option Usage Default

Port where Squid will listen for clients https requests --enable-ssl https_port [ip:]port cert=certificate.pem [key=key.pem] [options...] none

Synopsis This parameter specifies the address where Squid will listen for client's https requests. Its role is significant when Squid is configured in accelerator mode where SSL works to be done.

Arguments ip

IP Address to which Squid will bind the socket

port

Port to which Squid will bind the socket

cert=certificate.pem Path and the file name where SSL certificate is located key=key.pem

Path and the file name where SSL private key for the certificate is located

options controls other additional features and are explained in the table below: Options

Functions

defaultsite=

The name of the https site presented on this port

protocol=

Protocol to reconstruct accelerated requests with. Defaults to https.

cert=

Path to SSL certificate (PEM format)

key=

Path to SSL private key file (PEM format) if not specified, the certificate file is assumed to be a combined certificate and key file

version=

The version of SSL/TLS supported 1 automatic (default) 2 SSLv2 only 3 SSLv3 only 4 TLSv1 only

cipher=

Colon separated list of supported ciphers

options=

Various SSL engine options. The most important being: NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges See src/ssl_support.cc or OpenSSL SSL_CTX_set_options documentation for a complete list of options.

clientca=

File containing the list of CAs to use when requesting a client certificate

cafile=

File containing additional CA certificates to use when verifying client certificates. If unset clientca will be used.

capath=

Directory containing additional CA certificates to use when verifying client certificates

dhparams=

File containing DH parameters for temporary/ephemeral DH key exchanges

sslflags=

Various flags modifying the use of SSL: DELAYED_AUTH - Don't request client certificates immediately, but wait until acl processing requires a certificate NO_DEFAULT_CA - Don't use the default CA list built in to OpenSSL.

Example(s) https_port 443 cert=/usr/local/ssl/cert.pem key=/usr/local/ssl/key.pem defaultsite=visolve.com

TAG NAME

ssl_unclean_shutdown

Description Build Option Usage Default

Used to handle bugs in browsers which does not fully support SSL --enable-ssl ssl_unclean_shutdown on|off ssl_unclean_shutdown off

Synopsis Some browsers like MSIE will indicate bugs during SSL shutdown. During such conditions, making this tag "on" will handle those bugs.

Arguments on/off

Enable or disable ssl_unclean_shutdown

TAG NAME Description Build Option Usage Default

ssl_engine Defines Hardware SSL acceleration which is to be used --enable-ssl ssl_engine engine none

Synopsis The openssl engine to use. For Example(s), you will need to set this if you would like to use hardware SSL acceleration.

Arguments engine

Hardware SSL accelerator to be used

TAG NAME Description Build Option Usage Default

sslproxy_client_certificate Used to define clients SSL certificate for proxying https:// URLs --enable-ssl sslproxy_client_certificate path/certificatefile none

Synopsis When proxying https:// URLs requests, this tag defines the clients SSL certificate path and the certificate file to be used for verification.

Arguments path/ certificatefile

Path and the file that holds the clients SSL certificate

Example(s) sslproxy_client_certificate /usr/local/ssl/cert.pem

TAG NAME Description Build Option Usage Default

sslproxy_client_key Defines clients SSL certificate key for proxying https:// URLs --enable-ssl sslproxy_client_key path/key.pem none

Synopsis When Squid is used as a proxy server for https:// URLs requests, this tag defines the clients SSL certificate key's path and the file that holds the key.

Arguments path/key. pem

Path and the file that contains the clients certificate key

Example(s) sslproxy_client_key /usr/local/ssl/certkey.pem

TAG NAME Description Build Option Usage Default

sslproxy_version Defines the SSL version level to be used when proxying https:// URLs --enable-ssl sslproxy_version version sslproxy_version 1

Synopsis When SSL certificate is used for proxying https:// URLs, this tag can be used to define the SSL version level that will be used for handling encrypted connections.

Arguments version

SSL version level

Example(s) sslproxy_version 3

TAG NAME Description Build Option Usage Default

sslproxy_options This defines the SSL engine options to be used when proxying https:// URLs --enable-ssl options option none

Synopsis When proxying https:// URLs, this tag is used to specify various SSL options.

Arguments option

SSL options

Example(s) sslproxy_options NO_SSLv2

TAG NAME Description Build Option Usage Default

sslproxy_cipher SSL cipher list to be used when proxying https:// URLs --enable-ssl sslproxy_cipher cipher none

Synopsis This tag sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection when proxying https:// URLs

Arguments cipher

SSL proxy cipher to be used

TAG NAME

sslproxy_cafile

Description Build Option Usage Default

Defines the file that contains CA certificate --enable-ssl sslproxy_cafile filename none

Synopsis This tag defines the file that contains CA certificate to be used for verifying server certificates when Squid is used as a proxy server for https://URLs.

Arguments filename

File that contains CA certificate

Example(s) sslproxy_cafile /usr/local/ca1.pem

TAG NAME

sslproxy_capath

Description Build Option Usage Default

Defines the directory for the file containing CA certificate --enable-ssl sslproxy_capath path none

Synopsis While proxying https:// URLs, this tag defines the path where the CA certificate file to be used when verifying server certificates is located.

Arguments path

Path where CA certificate file is located

Example(s) sslproxy_capath /usr/local/

TAG NAME

sslproxy_flags

Description Build Option Usage Default

Specifies the way how SSL should act while proxying https:// URLs --enable-ssl sslproxy_flags flags none

Synopsis When Squid is used as a proxy server for https://URLs, this tag is used to defines the nature of SSL's behaviour.

Arguments Flags

Meaning

DONT_VERIFY_PEER Accept certificates even if they fail to verify NO_DEFAULT_CA

Don't use the default CA list built in to OpenSSL

Example(s) sslproxy_flags NO_DEFAULT_CA

TAG NAME

icp_port

Description Build Option Usage Default

Port number through which Squid sends and receives ICP queries Default icp_port portnumber icp_port 0

Synopsis Defines the port for ICP packets to be sent and received from neighbour caches.

Arguments portnumber

Port to which Squid will bind the socket

Example(s) icp_port 3030

TAG NAME Description Build Option Usage Default

htcp_port Port number through which Squid sends and receives HTCP queries Default htcp_port portnumber htcp_port 4827

Synopsis This tag defines the port address through which HTCP packets will be sent and received from neighbour caches.

Arguments portnumber

Port to which Squid will bind the socket

Example(s) htcp_port 2134

TAG NAME Description

mcast_groups Defines list of multicast groups which your server should join to receive multicasted ICP queries Default mcast_groups ip_address none

Build Option Usage Default

Synopsis Multicast is essentially the ability to send one IP packet to multiple receivers. Your server will join to the multicat groups defined by the IP Addresses. This option is to be set only if you want to RECEIVE multicast queries. ICP replies are always sent via unicast, so this option does not affect whether or not you will receive replies from multicast group members.

Arguments ip_address

ip_address of the multicast groups to join

Example(s) mcast_groups 239.128.16.128 224.0.1.20

TAG NAME

udp_incoming_address, udp_outgoing_address

Description Build Option Usage

Defines the address for sending and receiving ICP packets Default udp_incoming_address ip_address udp_outgoing_address ip_address udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255

Default

Synopsis These tags defines the interface through which ICP packets are sent and received. The default behavior is to not bind to any specific address. A udp_incoming_address value of 0.0.0.0 indicates that Squid should listen for UDP messages on all available interfaces. If udp_outgoing_address is set to 255.255.255.255 (the default) then it will use the same socket as udp_incoming_address. Only change this if you want to have ICP queries sent using another address than where this Squid listens for ICP queries from other caches.

Arguments ip_address

ip_address to which Squid binds the ICP socket

Note: udp_incoming_address and udp_outgoing_address cannot have the same value since they both use port 3130.

Example(s) udp_incoming_address 172.16.1.35 udp_outgoing_address 192.168.150.6

NEIGHBOUR SELECTION ALGORITHM Configurations needed for communication of Squid with the neighbor caches are done under this category.

TAG NAME Description Build Option Usage Default

cache_peer This specifies other caches in cache hierarchy Default cache_peer hostname type http_port icp_port [options] none

Synopsis This defines how to treat the neighbour peer's in cache hierarchy. This is used during inter cache communication.

Arguments hostname type proxy_port icp_port

Options proxy-only weight=n basetime=n

ttl=n

no-query

The cache peer to which communication is to be established The way how the cache peer be treated (either as 'parent', 'sibling' or 'multicast'). Port number where the cache listens for other peers requests. Used for querying neighbor caches about objects. To have a non-ICP neighbor specify '7' for the ICP port and make sure the neighbour machine has the UDP echo port - enabled in its /etc/inetd.conf file. Functions to specify that objects fetched from this cache should not be saved locally. to specify a weighted parent. The weight must be an integer. The default weight is 1, larger weights are favored more. to specify a base amount to be subtracted from round trip times of parents. It is subtracted before division by weight in calculating which parent to fetch from. If the rtt is less than the base time then the rtt is set to a minimal value. to specify a IP multicast TTL to use when sending an ICP queries to this address. Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the multicast-responder' option below. NOT to send ICP queries to this neighbor.

background-ping default round-robin weighted-round-robin carp multicast-responder closest-only no-digest no-netdb-exchange no-delay login=user:password

login=PASS

login=*:password

connect-timeout=nn digest-url=url allow-miss

max-conn htcp originserver name=xxx forceddomain=name

ssl sslcert= /path/to/ssl/certificate sslkey= /path/to/ssl/key sslversion=1|2|3|4

sslcipher=...

only send ICP queries to this neighbor infrequently. This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin. if this is a parent cache which can be used as a "last-resort." You should probably only use 'default' in situations where you cannot use ICP with your parent cache(s). to define a set of parents which should be used in a round-robin fashion in the absence of any ICP queries. to define a set of parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time. Closer parents are used more often. to define a set of parents which should be used as a CARP array. The requests will then be distributed among the parents based on the CARP load balancing hash function based on their weight. indicates that the named peer is a member of a multicast group. ICP queries willnot be sent directly to the peer, but ICP replies will be accepted from it. indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. NOT to request cache digests from this neighbor. disables requesting ICMP RTT database (NetDB) from the neighbor. to prevent access to this neighbor from influencing the delay pools. if this is a personal/workgroup proxy and your parent requires proxy authentication. The string can include URL escapes (i.e. %20 for spaces). This also means that % must be written as %%. if users must authenticate against the upstream proxy. This will pass the users credentials as they are to the peer proxy. This only works for the Basic HTTP authentication scheme. To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for one proxy login. Also be warned that this will expose your users proxy password to the peer. USE WITH CAUTION to pass the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user. The star can optionally be followed by some extra information which is added to the username. This can be used to identify this proxy to the peer, similar to the login=username:password option above. to specify a peer specific connect timeout (also see the peer_connect_timeout directive) to tell Squid to fetch the cache digest (if digests are enabled) for this host from the specified URL rather than the Squid default location. to disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling. To extensive use of this option may result in forwardingloops, and you should avoid having two-way peerings with this option. (for Example(s) to deny peer usage on requests from peer by denying cache_peer_access if the source is a peer) to limit the amount of connections Squid may open to this peer. to send HTCP, instead of ICP, queries to the neighbor. You probably also want to set the "icp port" to 4827 instead of 3130. causes this parent peer to be contacted as a origin server. Meant to be used in accelerator setups. if you have multiple peers on the same host but different ports. This name can then be used to differentiate the peers in cache_peer_access and similar directives. to forcibly set the Host header of requests forwarded to this peer. Useful in accelerator setups where the server (peer) expects a certain domain name and using redirectors to feed this domainname is not feasible. to indicate that connections to this peer should bs SSL/TLS encrypted. to specify a client SSL certificate to use when connecting to this peer. to specify the private SSL key corresponding to sslcert above. If 'sslkey' is not specified then 'sslcert' is assumed to reference a combined file containing both the certificate and the key. to specify the SSL version to use when connecting to this peer 1 = automatic (default) 2 = SSL v2 only 3 = SSL v3 only 4 = TLS v1 only to specify the list of valid SSL chipers to use when connecting to this peer

ssloptions=...

to specify various SSL engine options NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 to specify a file containing additional CA certificates to use when verifying the peer certificate to specify a directory containing additional CA certificates to use when verifying the peer certificate to specify various flags modifying the SSL implementation DONT_VERIFY_PEER - Accept certificates even if they fail to verify. NO_DEFAULT_CA - Don't use the default CA list built in to OpenSSL. DONT_VERIFY_DOMAIN - Don't verify that the peer certificate matches the server name

cafile=... capath=... sslflags=...

sslname=

to specify the peer name as advertised in it's certificate. Used for verifying the correctness of the received peer certificate. If not specified the peer hostname will be used. to enable the "Front-End-Https: On" header needed when using Squid as a SSL frontend infront of Microsoft OWA. See MS KB document Q307347 for details on this header. If set to auto then the header will only be added if the request is forwarded as a https://URL.

front-end-https

Example(s) cache_peer proxy.visolve.com parent 3128 3130 default cache_peer 172.16.1.57 parent 3128 3130 proxy-only cache_peer 172.16.1.123 sibling 3129 5500 weight=2

TAG NAME Description Build Option Usage Default

cache_peer_domain Used to limit the domains for which a neighbour cache will be queried Default cache_peer_domain cache-host domain [domain ...] none

Synopsis In case if there are more number of cache peers, then using this tag we can direct the query to that cache peer for particular domains alone. Prefixing the domain with "!" will be queried for objects NOT in that domain.

Arguments cache-host domain

The cache peer to be queried for the specified domain The domain for which the cache peer to be queried

Example(s) cache_peer_domain 172.16.1.57 .co.in

TAG NAME Description Build Option Usage Default

neighbor_type_domain Using this tag, we can modify the define nerighbour type for particular domains Default neighbor_type_domain neighbour parent|sibling domain domain ... none

Synopsis There may be situations where an already defined neighbour to be treated differently for particular domains alone. This can be achieved using this directive.

Arguments neighbour The neighbour which to be treated diffrently parent|sibling How the neighbour to be treated (parent/sibling) domain The domain for which the cache peer to be treated differently

Example(s) cache_peer parent 172.16.1.57 3128 3130 neighbor_type_domain 172.16.1.57 sibling.com

TAG NAME Description Build Option Usage Default

icp_query_timeout Used to define the inter-cache query timeout Default icp_query_timeout time(msec) icp_query_timeout 0

Synopsis Based on the round trip time of recent ICP queries, Squid normally determines an optimal ICP query timeout. If you want to override this value, you can specify the timeouts using this tag. The value specified is in Milliseconds.

Arguments time

Fixed time period for ICP queries

Example(s) icp_query_timeout 2000

TAG NAME Description Build Option Usage Default

maximum_icp_query_timeout Defines ICP query timeout value to a maximum limit Default maximum_icp_query_timeout time(msec) maximum_icp_query_timeout 2000

Synopsis Normally the ICP query timeout is determined dynamically. But sometimes it can lead to very large values (say 5 seconds). Use this option to put an upper limit on the dynamic timeout value. The value specified is in Milliseconds. Note: Do NOT use this option to always use a fixed (instead of a dynamic) timeout value. To set a fixed timeout see the icp_query_timeout directive.

Arguments time

Maximum upper time limit

Example(s) maximum_icp_query_timeout 4000

TAG NAME Description Build Option Usage Default

minimum_icp_query_timeout Defines ICP query timeout value to a minimum limit Default minimum_icp_query_timeout time(msec) minimum_icp_query_timeout 5

Synopsis As in the previous tag, ICP query timeouts to very small value, even lower than the normal latency variance on your link due to traffic. Use this option to put an lower limit on the dynamic timeout value. The value specified is in Milliseconds. Note: Do NOT use this option to always use a fixed (instead of a dynamic) timeout value. To set a fixed timeout see the icp_query_timeout directive.

Arguments time

Minimum lower time limit

Example(s) minimum_icp_query_timeout 4000

TAG NAME Description

mcast_icp_query_timeout In case of multicast peer's, the value specified in this tag determines how long should Squid wait to count all replies from its peers Default mcast_icp_query_timeout time(msec) mcast_icp_query_timeout 2000

Build Option Usage Default

Synopsis For Multicast peers, Squid regularly sends out ICP "probes" to count how many other peers are listening on the given multicast address. This tag determines the time how long Squid should wait to count all replies from its peers. The value specified is in Milliseconds.

Arguments time

Time period to wait

Example(s) mcast_icp_query_timeout 3000

TAG NAME Description Build Option Usage Default

dead_peer_timeout Defines the time period after which Squid will declare the corresponding peer as dead Default dead_peer_timeout time(sec) dead_peer_timeout 10 seconds

Synopsis This allows Squid to define the time period for declaring a peer cache as "dead." If there are no ICP replies received with in the specified amount of time, Squid will declare that peer as dead and will not expect to receive any further ICP replies. However, it continues to send ICP queries, and will mark the peer as alive upon receipt of the first subsequent ICP reply. Note: This timeout also affects when Squid expects to receive ICP replies from peers. If more than dead_peer seconds have passed since the last ICP reply was received, Squid will not expect to receive an ICP reply on the next query. Thus, if your time between requests is greater than this timeout, you will see a lot of requests sent DIRECT to origin servers instead of to your parents.

Arguments time

Time period to decide the cache peer as dead

Example(s) dead_peer_timeout 50 seconds

TAG NAME Description Build Option Usage Default

hierarchy_stoplist Use this tag not to query neighbour caches for certain objects Default hierarchy_stoplist words none

Synopsis Certain words defined in this tag when matched in the URLs, directs Squid not to query neighbour caches.

Arguments words

Words to be matched for direct access

Example(s) hierarchy_stoplist cgi-bin ?

TAG NAME

no_cache

Description Build Option Usage Default

Use this to force certain objects to never be cached Default no_cache allow|deny acl ... none

Synopsis A list of ACL elements which, if matched, cause the request not to be satisfied from the cache and the reply not to be cached. In other words, use this to force certain objects to never be cached. You must use the word 'DENY' to indicate the ACL names which should NOT be cached.

Arguments allow/deny acl

Allow or deny caching of objects on matching the acl The condition/rule to be matched for which caching of those objects can be allowed or denied

Example(s) acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY

TAG NAME

background_ping_rate

Description Build Option Usage Default

Defines the rate of ICP pings Default background_ping_rate time background_ping_rate 10 seconds

Synopsis Squid normally sends ICP pings to the siblings. This directive defines the ICP ping rate.

Arguments time

Background pinging rate

Example(s) background_ping_rate 10 seconds

OPTIONS WHICH AFFECT THE CACHE SIZE Tags under this section deals with cache memory configurations like cache memory size, swap size, maximum and minimum object size, cache and memory replacement policies.

TAG NAME Description

Build Option Usage Default

cache_mem cache_mem defines the ideal amount of memory to be used for In-Transit objects, Hot Objects, NegativeCached objects Default cache_mem size cache_mem 8 MB

Synopsis Data for these objects are stored in 4 KB blocks. This parameter specifies the ideal upper limit on the total size of 4 KB blocks allocated. In-transit objects have priority over the others. When additional space is needed for incoming data, Negative-cached and Hot objects will be released. In other words, the negative-cached and hot objects will fill up any unused space not needed for In-transit objects. If circumstances require, this limit will be exceeded. Specifically, if your incoming request rate requires more than cache_mem of memory to hold In-transit objects, Squid will exceed this limit to satisfy the new requests. When the load decreases, blocks will be freed until the high-water mark is reached. Thereafter, blocks will be used to store hot objects. Note: This tag does not specify the maximum process size. It places a limit on one aspect of squid's memory usage. Squid uses memory for other things as well. Process will probably become twice or three times bigger than the value put here.

Arguments size

Cache memory size

Example(s) cache_mem 32 MB

TAG NAME Description Build Option Usage

cache_swap_low, cache_swap_high This defines low- and high-water marks for cache object replacements Default cache_swap_low percent( 0-100 ) cache_swap_high percent( 0-100 ) cache_swap_low 90 cache_swap_high 95

Default

Synopsis This tags define when the replacement should take place. Replacement begins when the swap (disk) usage is above the low-water mark and attempts to maintain utilization near the low-water mark. As swap utilization gets close to high-water mark object eviction becomes more aggressive. If utilization is close to the low-water mark less replacement is done each time. Defaults are 90% and 95%. If you have a large cache, 5% could be hundreds of MB. If this is the case you may wish to set these numbers closer together.

Arguments percent

low and high level in percentage

Example(s) cache_swap_low 50 cache_swap_high 75

TAG NAME Description Build Option Usage Default

maximum_object_size Defines maximum size for objects to be stored in the disk Default maximum_object_size size object_size 4096 KB

Synopsis Objects larger than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 4MB. If you wish to get a high BYTES hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10KB hits). Leave this value low if you wish to increase the speed more than what you want to save bandwidth. Note: If using the LFUDA replacement policy you should increase this value to maximize the byte hit rate improvement of LFUDA! See replacement_policy below for a discussion of this policy.

Arguments size

Maximum object size

Example(s) maximum_object_size 320010 KB

TAG NAME Description Build Option Usage Default

minimum_object_size Specifies the minimum object size below which will not be saved to the disk Default minimum_object_size size minimum_object_size 0 KB

Synopsis Objects smaller than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 0 KB, which means there is no minimum.

Arguments size

Minimum object size

Example(s) minimum_object_size 10 KB

TAG NAME Description Build Option Usage Default

maximum_object_size_in_memory Defines maximum size of the object to be kept in memory cache Default maximum_object_size_in_memory size maximum_object_size_in_memory 8 KB

Synopsis Objects greater than the size specified in this tag will not be kept in the memory cache. This should be set high enough to keep objects accessed frequently in memory to improve performance at the same time low enough to keep larger objects from hoarding cache_mem.

Arguments size

Maximum size of the object to be kept in memory cache

Example(s) maximum_object_size_in_memory 100 KB

TAG NAME

ipcache_size, ipcache_low, ipcache_high

Description Build Option Usage

Default

The size of the cache used for IP addresses and the high and low water marks for the same Default ipcache_size number of entries ipcache_low percent ipcache_high percent ipcache_size 1024 ipcache_low 90 ipcache_high 95

Synopsis Defines the size of cache needed for caching ip address, also its low and high water marks.

Arguments number of entries percent

Number of entries to be cached low and high level for the ipcache in percentage

Example(s) ipcache_size 2048 ipcache_low 90 ipcache_high 95

TAG NAME Description Build Option Usage Default

fqdncache_size Defines the size of in memory cache needed for fully qualified domain names Default fqdncache_size number of entries fqdncache_size 1024

Synopsis This is used to specify maximum number of entries for fully qualified domain names. Defaults to 1024, which is usually a safe value. In environments where DNS queries are slow, raising this may help.

Arguments number of entries

Number of fully qualified domains to be cached

Example(s) fqdncache_size 2048

TAG NAME Description Build Option Usage Default

cache_replacement_policy The cache replacement policy parameter determines which objects are to be replaced when disk space is needed --enable-removal-policy cache_replacement_policy policy cache_replacement_policy lru

Synopsis Whenever space for new objects were not found in the disk, cache_replacement_policy tag determines which objects in the cache memory (disk) should be replaced. The cache replacement policies is of four types. They are, Policy Explanation lru Squid's original list based LRU policy heap GDSF Greedy-Dual Size Frequency heap LFUDA Least Frequently Used with Dynamic Aging heap LRU LRU policy implemented using a heap This applies to any cache_dir lines listed below this.

The lru policies keeps recently referenced objects. The heap GDSF policy optimizes object hit rate by keeping smaller popular objects in cache so it has a better chance of getting a hit. It achieves a lower byte hit rate than LFUDA though since it evicts larger (possibly popular) objects. The heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. Both policies utilize a dynamic aging mechanism that prevents cache pollution that can otherwise occur with frequency-based replacement policies. For more information about the GDSF and LFUDA cache replacement policies see http://www.hpl.hp.com/techreports/1999/HPL-199969.html and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. Note: If using the LFUDA replacement policy you should increase the value of maximum_object_size above its default of 4096 KB to maximize the potential byte hit rate improvement of LFUDA.

Arguments policy

One of the above mentioned policies

Example(s) cache_replacement_policy heap LFUDA

TAG NAME

memory_replacement_policy Specifies the policy for object replacement in memory when space for new objects is not available Default memory_replacement_policy policy memory_replacement_policy lru

Description Build Option Usage Default

Synopsis Like cache_replacement_policy, this applies to memory space (RAM) for object replacement when the required space is not available for new objects. Policies are same as cache_replacemen_policy.

Arguments policy

One of the policies mentioned in cache_replacement_policy tag

Example(s) memory_replacement_policy LFUDA

LOG FILE PATH NAMES AND CACHE DIRECTORIES Squid provides a number of logs that can be used when debugging problems, and when measuring the effectiveness and identifying users and the sites they visit. Because Squid can be used to "snoop" on users browsing habits, one should carefully consider privacy laws in your region and more importantly be considerate to your users. That's being said, logs can be very valuable tools in insuring that your users get the best service possible from your cache.

TAG NAME

cache_dir

Description Build Option Usage Default

This is used to define cache directory, its path, type and size Default cache_dir Type Directory-Name Mbytes Level1 Level2 [options] cache_dir ufs /usr/local/Squid/var/cache 100 16 256

Synopsis All objects which are to be cached are stored in the disk space defined by this tag. This defines the path to cache directory, cache directory name, type and size of the cache area.

Arguments Type

Type specifies the kind of storage system to use. Only "ufs" is built by default. To enable any of the other storage systems see the --enable-storeio configure option. Type is one of the following: 1. ufs is the old well-known Squid storage format that has always been there. 2. aufs uses the same storage format as ufs, utilizing POSIX-threads to avoid blocking the main Squid process on disk-I/O.This was formerly known in Squid as async-io. 3. diskd uses the same storage format as ufs, utilizing a separate process to avoid blocking the main Squid process on disk-I/O. Type ufs aufs diskd

Usage cache_dir ufs Directory-Name Mbytes L1 L2 [options] cache_dir aufs Directory-Name Mbytes L1 L2 [options]s cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]

Directory-Name Directory name is a top-level directory where cache swap files will be stored.If you want to use an entire disk or caching, then this can be the mount-point directory. The directory must exist and be writable by the Squid process. Squid will NOT create this directory for you. Mbytes Mbytes is the amount of disk space (in MB) to use under this directory. The default is 100 MB. Change this to suit your configuration Level1 Number of first-level subdirectories which will be created under the Directory. The default is 16. Level2 number of second-level subdirectories which will be created under each first-level directory. The default is 256. Q1 number of unacknowledged I/O requests when Squid stops opening new files. If this many messages are in the queues, Squid won't open new files. Default is 64. Q2 number of unacknowledged messages when Squid starts blocking. If this many messages are in the queues, Squid blocks until it receives some replies. Default is 72. Option: max-size=n

refers to the max object size this storedir supports. It is used to initially choose the storedir to dump the object.

Note: To make optimal use of the max-size limits you should order the cache_dir lines with the smallest max-size value first and the ones with no max-size specification last.

Example(s) cache_dir ufs /cache_dir 5000 16 256

TAG NAME

logformat

Description Build Option Usage Default

Defines the format for storing access logs in access.log file Default logformat none

Synopsis Using this, the default log format can be changed according to the requirement. This customizable format will be needed when you want to perform analysis on the logs stored in access.log file.

Arguments name format specification

Identifier holding the customized logformat It is a string embedded with % format codes

% format codes all follow the same basic structure where all but the formatcode is optional. Output strings are automatically quoted as required according to their context and the output format modifiers are usually unneeded but can be specified if an explicit quoting format is desired. The logformat name should be added at the end of access log file in the access_log tag. % ["|[|'|#] [-] [[0]width] [{argument}] formatcode

" [ # ' -

quoted string output format

width {arg}

field width. If starting with 0 then output is zero padded argument such as header name etc

Squid log quoted format as used by log_mime_hdrs URL quoted output format No automatic quoting left aligned

Format codes: >a Client source IP address >A Client FQDN h Request header. Optional header name argument on the format header[:[separator]element] h un User name ul User login ui User ident ue User from external acl Hs HTTP status code Ss Squid request status (TCP_MISS etc) Sh Squid hierarchy status (DEFAULT_PARENT etc) mt MIME content type rm Request method (GET/POST etc) ru Request URL rv Request protocol version et Tag returned by external acl ea Log string returned by external acl auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 1800 seconds external_acl_type checkip children=20 %LOGIN %SRC /usr/local/Squid/bin/checkip.pl acl password external checkip acl it src 172.16.20.1-172.16.20.199/255.255.255.255 http_access allow it password Allows user if user belongs to a group that is allowed during a given time and using a given ip.

Recommended minimum acl configuration acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT

TAG NAME

http_access Using this, you can allow or deny the access lists defined by acl Default http_access allow|deny [!] aclname ... http_access deny all

Description Build Option Usage Default

Synopsis This is used for filtering based on the acl matchings. If none of the "access" lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have an "deny all" or "allow all" entry at the end of your access lists to avoid potential confusion.

Arguments allow/deny aclname

Allow or deny on matching the acl Access list to be allowed/denied on match

Example(s) To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41 To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24 Can i use multitime access control list for different users for different timing Rules are read from top to bottom

Note The deny all line is very important. After all the http_access rules, if access isn't denied, it's ALLOWED !! So, specifying a LOT of http_access allow rules, and forget the deny all after them, is the same of NOTHING. If access isn't allowed by one of your rules, the default action ( ALLOW ) will be triggered. So, don't forget the deny all rule AFTER all the rules. And, finally, don't forget rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied.

Recommended minimum http_access configuration http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all

TAG NAME Description Build Option Usage Default

http_reply_access This is complementary to http_access which allows or denies clients replies Default http_reply_access allow|deny [!] aclname ... http_reply_access allow all

Synopsis This is used for filtering based on the acl matchings but on the client requests reply. If none of the access lines cause a match, then the opposite of the last line will apply. Thus it is good practice to end the rules with an "allow all" or "deny all" entry.

Arguments allow/deny aclname

Allow or deny on matching the acl Access list to be allowed/denied on match

Example(s) acl reject urlpath_regex i home http_reply_access deny reject

TAG NAME

icp_access

Description Build Option Usage Default

Allowing or Denying access to the ICP port based on defined access lists Default icp_access allow|deny [!] aclname ... icp_access deny all

Synopsis This tag controls icp access on defined access lists.

Arguments allow/deny aclname

Allow or deny on matching the acl Access list to be allowed/denied on match

Example(s) icp_access allow all Allows ICP queries from everyone.

TAG NAME Description Build Option Usage Default

miss_access Used to force your neighbours to use you as sibling instead of parent Default miss_access allow|deny [!] aclname ... miss_access allow all

Synopsis This tag forces the neighbouring peers to treat you as sibling instead of parent.

Arguments allow/deny aclname

Allow or deny on matching the acl Access list to be allowed/denied on match

Example(s) acl localclients src 172.16.0.0/16 miss_access allow localclients miss_access deny !localclients This means that only your local clients are allowed to fetch MISSES and all other clients can only fetch HITS.

TAG NAME Description Build Option Usage Default

cache_peer_access Similar to cache_peer_domain but provides more flexibility by using ACL elements Default cache_peer_access cache-host allow|deny [!]aclname ... none

Synopsis The syntax is identical to http_access and the other lists of ACL elements. See http_access for further reference.

Arguments allow/deny aclname

Allow or deny on matching the acl Access list to be allowed/denied on match

Example(s) The following example could be used, if we want all requests from a specific IP address range to go to a specific cache server (for accounting purposes, for example). Here, all the requests from the 10.0.1.* range are passed to proxy.visolve.com, but all other requests are handled directly. Using acls to select peers, acl myNet src 10.0.0.0/255.255.255.0 acl cusNet src 10.0.1.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 cache_peer proxy.visolve.com parent 3128 3130

cache_peer_access proxy.visolve.com allow custNet cache_peer_access proxy.visolve.com deny all

TAG NAME

ident_lookup_access A list of ACL elements which, if matched, cause an ident (RFC 931) lookup to be performed for this request Default ident_lookup_access allow|deny aclname ident_lookup_access deny all

Description Build Option Usage Default

Synopsis This tag allows or denies ident lookups an matching the access lists. Note: Only src type ACL checks are fully supported. A src_domain ACL might work at times, but it will not always provide the correct result. This option may be disabled by using --disable-ident-lookups with the configure script.

Arguments allow/deny aclname

Allow or deny on matching the acl Access list to be allowed/denied on match

Example(s) To enable ident lookups for specific client addresses, you can follow this example, acl ident_aware_hosts src 198.168.1.0/255.255.255.0 ident_lookup_access allow ident_aware_hosts ident_lookup_access deny all

TAG NAME Description

tcp_outgoing_tos Allows you to select a TOS/Diffserv value to mark outgoing connections with, based on the username or source address making the request Default tcp_outgoing_tos ds-field [!]aclname ... none

Build Option Usage Default

Synopsis The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or "default" to use whatever default your host has. Processing proceeds in the order specified, and stops at first fully matching line.

Arguments ds-fiels aclname

Outgoing TOS value Identifier that contains the list to match on

Example(s) acl good_service_net src 10.0.1.0/255.255.255.0 tcp_outgoing_tos 0x20 good_service_net Here, good_service_net uses the TOS value 0x20

TAG NAME

tcp_outgoing_address

Description

Allows you to map requests to different outgoing IP addresses based on the username or source address of the user making the request Default tcp_outgoing_address ipaddr [[!]aclname] ... none

Build Option Usage Default

Synopsis Processing proceeds in the order specified, and stops at first fully matching line.

Arguments ipaddr aclname

Outgoing ip address Access lists

Example(s) acl normal_net src 172.16.1.0/24 tcp_outgoing_address 172.16.1.53 normal_net Here requests from machines in network 172.16.1.0 will be sent as request from 172.16.1.53 to the origin server.

TAG NAME Description Build Option Usage Default

reply_body_max_size This option specifies the maximum size of a reply body Default reply_body_max_size size [acl acl...] none

Synopsis Using this you can prevent users from downloading very large files, such as MP3's and movies. Note: 1. Downstream caches probably can not detect a partial reply if there is no content-length header, so they will cache partial responses and give them out as hits. You should NOT use this option if you have downstream caches. 2. A maximum size smaller than the size of Squid's error messages will cause an infinite loop and crash Squid. Ensure that the smallest non-zero value you use is greater that the maximum header size plus the size of your largest error page.

Arguments size acl

Maximum reply body size Access lists on which this functions during match

Example(s) acl site url_regex -i ^http://www.visolve.com reply_body_max_size 5 KB site Here, the reply contains content-length. Its size is checked with the specified value. If it is greater then the specified range the an error page is displayed only for this site while access to other sites are allowed.

TAG NAME Description Build Option Usage Default

log_access This options allows you to control which requests gets logged to access.log Default log_access allow|deny acl acl... none

Synopsis Sometimes you will not be interested in certain access to be logged in the access.log file. This can be implemented using this tag as follows.

Arguments allow/deny aclname

Allow or deny on matching the acl Access list to be allowed/denied on match

Example(s) acl google url_regex ^http://www.google.co.in log_access deny google access_log /usr/local/Squid3.0pre3/var/logs/access.log common google This will not log access to http://www.google.co.in into the access.log file.

Example(s) (1) To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41 To use MAC address in ACL rules. Configure with option -enable-arp-acl. acl all src 0.0.0.0/0.0.0.0 acl pl800_arp arp 00:08:c7:9f:34:41 http_access allow pl800_arp http_access deny all (2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24 acl ip_acl src 192.168.2.0/24 acl time_acl time M T W H F 9:00-17:00 http_access allow ip_acl time_acl http_access deny all (3) Can i use multitime access control list for different users for different timing. Acl Defnitions, acl abc src 172.161.163.85 acl xyz src 172.161.163.86 acl asd src 172.161.163.87 acl morning time 06:00-11:00 acl lunch time 14:00-14:30 acl evening time 16:25-23:59 Access Controls, http_access allow abc morning http_access allow xyz morning lunch http_access allow asd lunch This is wrong. The description follows: Here access line "http_access allow xyz morning lunch" will not work. So ACLs are interpreted like this ... http_access RULE statement1 AND statement2 AND statement3 OR http_access ACTION statement1 AND statement2 AND statement3 OR ........ So, the ACL "http_access allow xyz morning lunch" will never work, as pointed, because at any given time, morning AND lunch will ALWAYS be false, because both morning and lunch will NEVER be true at the same time. As one of them is false, and acl uses AND logical statement, 0/1 AND 0 will always be 0 (false). That's because this line is in two. If now read, http_access allow xyz AND morning OR http_access allow xyz lunch If request comes from xyz, and we're in one of the allowed time, one of the rules will match TRUE. The other will obviously match FALSE. TRUE OR FALSE will be TRUE, and access will be permitted.

Finally Access Control looks... http_access allow abc morning http_access allow xyz morning http_access allow xyz lunch http_access allow asd lunch http_access deny all (4) Rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied. http_access allow xyz morning http_access deny xyz http_access allow xyz lunch If xyz tries to access something in the morning, access will be granted. But if he tries to access something at lunchtime, access will be denied. It will be denied by the deny xyz rule, that was matched before the 'xyz lunch' rule.

ADMINISTRATIVE PARAMETERS The parameters in this section allow the Squid admin to specify, for example, which users and groups have the right to run Squid, what host name should be displayed while displaying errors, which users have the authority to view Cache activity details, etc.

TAG NAME Description Build Option Usage Default

cache_mgr This is to specify email address of the administrator of this cache Default cache_mgr mail_id cache_mgr webmaster

Synopsis This is the address which will be added to any error pages that are displayed to clients. Defaults to either webmaster.

Arguments mail_id

Mail id to be displayed

Example(s) cache_mgr [email protected]

TAG NAME Description Build Option Usage

cache_effective_user, cache_effective_group The user name and group name Squid will operate as Default cache_effective_user username cache_effective_group groupname cache_effective_user nobody cache_effective_group nogroup

Default

Synopsis Squid is designed to start as root but very soon after drop to the user/group specified here. This allows you to restrict, for security reasons, the permissions that Squid will have when operating. By default, Squid will operate as either nobody user and the nogroup group. Note: If these tags are not configured properly, then Squid will have problems while starting.

Arguments username groupname

Username for Squid process Group name for Squid process

Example(s) cache_effective_user Squid

cache_effective_group Squid

TAG NAME Description Build Option Usage Default

visible_hostname The host name that Squid will advertise itself on Default visible_hostname anyname none

Synopsis This effects the host name that Squid uses when serving error messages. This option may need to be configured in cache clusters if you receive IP-Forwarding errors. Note: If not configured, Squid will not start.

Arguments anyname

Name of the Squid machine

Example(s) visible_hostname SYS-CO1

TAG NAME

unique_hostname Used to set a unique host name for Squid to report in cache clusters in order to allow detection of forwarding loops Default unique_hostname hostname none

Description Build Option Usage Default

Synopsis If you want to have multiple machines with the same visible_hostname then you must give each machine a different unique_hostname so that forwarding loops can be detected. In brief, Just set visible_hostname to the address the clients connects to, and unique_hostname to the externally visible address of each proxy. (address == registered domain name).

Arguments hostname

Unique name of the Squid machine

Example(s) unique_hostname www.kovaiteam.com

TAG NAME Description Build Option Usage Default

hostname_aliases Used to list of other DNS names that your cache has Default hostname_aliases name none

Synopsis There may be situations where you system or cache have more than one DNS names. In such situations you may specify the DNS names in this tag.

Arguments name

Alias name

Example(s) hostname_aliases rose

CACHE REGISTRATION SERVICE This section contains configurations needed for the (optional) cache announcement service. This service is provided to help cache administrators locate one another in order to join or create cache hierarchies. An announcement message is sent (via UDP) to the registration service by Squid. By default, the announcement message is NOT SENT unless you enable it with announce_period below. All current information is processed regularly and made available on the Web at http://www.ircache.net/Cache/Tracker/.

TAG NAME Description Built Option Usage Default

announce_period Defines the rate of sending announcement messages Default announce_period units announce_period 0

Synopsis This tag refers to the frequency at which Squid will send announcement messages to the announce host. Defaults to 0 which stops sending announcement messages.

Arguments units

Announce time period

Example(s) announce_period 10

TAG NAME Description

announce_host Used to define the host address to which Squid will send announcement message to participate in the cache hierarchy Default announce_host hostname announce_host tracker.ircache.net

Built Option Usage Default

Synopsis announce_host defines the host for sending announcement messages to get participated in the cache hierarchy.

Arguments hostname

Host name for announcement message

Example(s) announce_host cache.ircache.net

TAG NAME Description Built Option Usage Default

announce_port Port through which Squid sends announcement message to participate in the cache hierarchy Default announce_port portnumber announce_port 3131

Synopsis announce_port defines the port to send announcement message for participating in the cache hierarchy.

Arguments portnumber

Port where Squid binds the socket

Example(s) announce_port 3132

TAG NAME

announce_file

Description Built Option Usage Default

Defines the file whose contents to be sent along with the announcements Default announce_file filename -

Synopsis announce_file contains message to be sent with announcements.

Arguments filename File whose content to be sent

Example(s) announce_file /usr/local/file1

MISCELLANEOUS This section covers configurations that could not be explicitly bundled in with any of the previous categories. Examples of features covered here are limiting the growth of log files, displaying customized information to clients upon error conditions or access denial, defining memory pools for Squid, network management by enabling SNMP, co-ordination with neighbor caches by enabling WCCP, directing the requests either to the origin server or to the neighbor cache, etc.

TAG NAME

dns_testnames This points to a number of hosts that Squid can use to test if DNS service is working properly on your network Default dns_testnames url dns_testnames netscape.com internic.net nlanr.net microsoft.com

Description Build Option Usage Default

Synopsis If DNS isn't working properly, Squid will not be able to service requests, so it will refuse to start, with a brief message regarding why in the cache.log. It is recommended that you select two or more host names on the internet and one or two host names on your intranet, assuming you have one and Squid is expected to service it. By default, the dns_testnames directive checks a few well known and popular sites: netscape.com, internic.net, nlanr.net, and microsoft.com.

Arguments url

Sites on which DNS test to be done

Example(s) dns_testnames visolve.com

TAG NAME Description Build Option Usage Default

logfile_rotate Used to specify the number of old rotated log files Squid will keep Default logfile_rotate number logfile_rotate 10

Synopsis The value in this tag defines number of rotated log files to be generated. This defaults to 10, which means Squid will keep 10 old log files before overwriting the oldest. Squid -k rotate is the command line usage to implement this function.

Arguments number

Example(s) logfile_rotate 5

Number of rotations

TAG NAME Description

append_domain The domain that Squid will append to requests that are not possibly fully qualified domain names (more precisely, those that have no dots in them) Default append_domain domainname none

Build Option Usage Default

Synopsis Using this tag, you can append the domain names to the requests that are not fully qualified domains names. Note: append_domain must begin with a period.

Arguments dimainname

Domain name to be appended

Example(s) append_domain .cgi.com

TAG NAME Description Build Option Usage Default

tcp_recv_bufsize Defines the size of the buffer used for TCP packets being received Default tcp_recv_bufsize bytes tcp_recv_bufsize 0 bytes

Synopsis When defined to a non-zero value, this determines the TCP packets receiving buffer size. By default Squid uses whatever the default buffer size for your operating system is. This is done by setting its value to zero.

Arguments bytes

Buffer size

Example(s) tcp_recv_bufsize 500 bytes

TAG NAME Description Build Option Usage Default

err_html_text Provides a means to automatically add some extra information to Squid's error pages Default err_htmal_text text none

Synopsis You can add HTML or plain text comments or links here, which will be added to the error messages displayed to clients. To include this in your error messages, you must rewrite the error template files (found in the "errors" directory). Wherever you want the err_html_text line to appear, insert a %L tag in the error template file.

Arguments text

Message to be displayed

Example(s) err_html_text [email protected] Consider you want to display this mail Id when access denied error occurs, then edit the corresponding file (ERR_ACCESS_DENIED in '$prefix/etc/errors' directory) with %L where this mail Id should be displayed.

TAG NAME

email_err_data

Description

If enabled, information about the occurred error will be included in the mailto links of the ERR pages (if %W is set) so that the email body contains the data Default email_err_data on|off email_err_data on

Build Option Usage Default

Synopsis Enabling this feature, information about the occurred error will be included in the mailto links of the ERR pages Syntax is %w

Arguments on/off

Enable or disable

TAG NAME Description

deny_info Used to define a customized error page for the requests which gets denied by http_access rules Default deny_info err_page_name acl deny_info link acl none

Build Option Usage Default

Synopsis You might have defied certain rules which filters access to certain domains. While accessing those domains, Squid normally displays a default error page. Using this tag, we can define a customized error page.

Arguments err_page_name Customized error page to be displayed acl acl for which the page to be displayed link Link to be displayed on deny access

Example(s) acl test1 urlpath_regex -i .index.html http_access deny test1 deny_info http://www.google.co.in test1 On satisfying http_access, instead of the default error page, the site google will be loaded.

TAG NAME Description

memory_pools This allows Squid to keep memory that it has allocated (but no longer needs), so that it will not need to reallocate memory in the future Default memory_pools on|off memory_pools on

Build Option Usage Default

Synopsis Memory pools can improve performance to a small margin by allocating memory, but may need to be turned off if memory is at a premium on your system. This option defaults to on.

Arguments on/off

Enable or disable memory pool feature

TAG NAME

memory_pools_limit

The amount of memory Squid will keep allocated, assuming the Keep memory for future use option is turned on Default memory_pools_limit bytes none

Description Build Option Usage Default

Synopsis Any non-zero value to this tag will instruct Squid not to keep more than that amount allocated, and if Squid requires more memory than that to fulfill a request, it will use your system's malloc library. Squid does not pre-allocate memory, so it is safe to set this reasonably high. If your Squid runs on a dedicated host, it is probably wisest to leave it to its default of unlimited. If it must share the system with other server processes (like Apache or Sendmail) then it might be appropriate to limit it somewhat.

Arguments bytes

Memory pool limit size

Example(s) memory_pools_limit 50 MB

TAG NAME Description Build Option Usage Default

via Enable/disable via header Default via on|off via on

Synopsis If set (default), Squid will include a Via header in requests and replies as required by RFC2616.

Arguments on/off

Enable/disable via header

TAG NAME Description

forwarded_for This option allows you to choose whether Squid will report the host name of the system that originally made the request to the origin server Default forwarded_for on|off forwarded_for on

Build Option Usage Default

Synopsis If set, Squid will include your system's IP address or name in the HTTP requests it forwards. By default it looks like this: X-ForwardedFor: 192.1.2.3 If you disable this, it will appear as X-Forwarded-For: unknown

Arguments on/off

Enable or disable

TAG NAME

log_icp_queries

Description Build Option Usage Default

Dictates whether Squid will log ICP requests Default log_icp_queries on|off log_icp_queries on

Synopsis When you fell if ICP loads are very high, you can disable it otherwise you can enable for logging ICP requests.

Arguments on/off

Enable or disable logging ICP queries

TAG NAME Description Build Option Usage Default

icp_hit_stale Enable/disable to return ICP_HIT for stale cache objects Default icp_hit_stale on|off icp_hit_stale off

Synopsis If you want to return ICP_HIT for stale cache objects, set this option to 'on'. If you have sibling relationships with caches in other administrative domains, this should be 'off'. If you only have sibling relationships with caches under your control, then it is probably okay to set this to 'on'. If set to 'on', then your siblings should use the option "allow-miss" on their cache_peer lines for connecting to you.

Arguments on/off

Enable or disable

TAG NAME Description Build Option Usage Default

minimum_direct_hops Define minimum number of direct hops after which it directs Squid to do direct fetches Default minimum_direct_hops number minimum_direct_hops 4

Synopsis When using ICMP pinging features of Squid to determine distance to peers and origin servers, this configures when Squid should prefer going direct over a peer. This parameter plays a role in deciding latency.

Arguments number

Number of hops

Example(s) minimum_direct_hops 10

TAG NAME Description Build Option Usage Default

minimum_direct_rtt Defines minimum rtt after which it directs Squid to do direct fetches Default minimum_direct_rtt timeunits minimum_direct_rtt 400

Synopsis If using the ICMP pinging stuff, do direct fetches for sites which are no more than this many rtt milliseconds away.

Arguments timeunits

Round Trip Time

Example(s) minimum_direct_rtt 200

TAG NAME Description Build Option Usage Default

cachemgr_passwd Specify passwords for cachemgr operations Default cachemgr_passwd password action action ... none

Synopsis By using this we can have secured administration over the Squid. Actions: 5min, 60min, asndb, authenticator, cbdata, client_list, comm_incoming, config *, counters, delay, digest_stats, dns, events, filedescriptors, fqdncache, histograms, http_headers, info, io, ipcache, mem, menu, netdb, non_peers, objects, offline_toggle *, pconn, peer_select, redirector, refresh, server_list, shutdown *, store_digest, storedir, utilization, via_headers, vm_objects. * Indicates actions which will not be performed without a valid password, others can be performed if not listed here. To disable an action, set the password to "disable". To allow performing an action without a password, set the password to "none". Use the keyword "all" to set the same password for all actions.

Arguments password action

Password for the action Action as described above

Example(s) cachemgr_passwd secret shutdown

TAG NAME Description Build Option Usage Default

store_avg_object_size Average object size, used to estimate number of objects your cache can hold. Default store_avg_object_size size(Kbytes) store_avg_object_size 13 KB

Synopsis To Estimate the number of objects your cache can hold: NUM_OBJ = cache_swap / store_avg_object_size where, cache_swap is the size of the cache.

Arguments size

Size of the object

Example(s) store_avg_object_size 100 KB

TAG NAME Description Build Option Usage Default

store_objects_per_bucket Defines the number of objects in each store hash table Default store_objects_per_bucket number store_objects_per_bucket 20

Synopsis Target number of objects per bucket in the store hash table. Lowering this value increases the total number of buckets and also the storage maintenance rate.

Arguments number

Number of objects

Example(s) store_objects_per_bucket 50

TAG NAME Description Build Option Usage Default

client_db Allows you to choose whether Squid will keep statistics regarding each individual client Default client_db on|off client_db on

Synopsis If you want to disable collecting per-client statistics, then turn off client_db here.

Arguments on/off

Enable or disable collecting client statistics

TAG NAME Description Build Option Usage

netdb_low, netdb_high Defines low and high water marks for the ICMP measurement database Default netdb_low number netdb_high number netdb_low 900 netdb_high 1000

Default

Synopsis These measurements are counts and not percentage. The defaults are 900 and 1000. When the high water mark is reached, database entries will be deleted until the low mark is reached.

Arguments number

Number of entries

Example(s) netdb_low 500 netdb_high 800

TAG NAME Description Build Option Usage Default

netdb_ping_period Defines minimum period for measuring a site Default netdb_ping_period timeunits netdb_ping_period 5 minutes

Synopsis When this is defined, there will be at least this much delay between successive pings to the same network. The default is five minutes.

Arguments timeunits

Time period between successive pings

Example(s) netdb_ping_period 15 minutes

TAG NAME Description Build Option Usage Default

query_icmp Enabling this option, makes Squid to ask your peers to include ICMP data in their ICP replies --enable-icmp query_icmp on|off query_icmp off

Synopsis If your peer has configured Squid (during compilation) with '--enable-icmp' then that peer will send ICMP pings to origin server sites of the URLs it receives. If you enable this option then the ICP replies from that peer will include the ICMP data (if available). Then, when choosing a parent cache, Squid will choose the parent with the minimal RTT to the origin server. When this happens, the hierarchy field of the access.log will be "CLOSEST_PARENT_MISS". This option is off by default.

Arguments on/off

Enable or disable this option

TAG NAME Description

test_reachability When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH instead of ICP_MISS if the target host is NOT in the ICMP database, or has a zero RTT Default test_reachability on|off test_reachability off

Build Option Usage Default

Synopsis If the target host is NOT in the ICMP database, or has a zero RTT, enabling this tag, ICP MISS replies will be ICP_MISS_NOFETCH instead of ICP_MISS.

Arguments on/off

Enable or disable

TAG NAME

buffered_logs Buffering and unbuffering can be done while writing cache.log with stdio functions using this tag Default buffered_logs on|off buffered_logs off

Description Build Option Usage Default

Synopsis Buffering it can speed up the writing slightly. By default it will be unbuffered.

Arguments on/off

Enable or disable buffering

TAG NAME

reload_into_ims When you enable this option, client no-cache or reload requests will be changed to If-Modified-Since requests Default reload_into_ims on|off reload_into_ims off

Description Build Option Usage Default

Synopsis This tag is used to change clients no-cache or reload requests to IMS(if-modified sequence). Note: Enabling this feature could make you liable for problems which it causes.

Arguments on/off

Enable or disable

TAG NAME

always_direct Here you can use ACL elements to specify requests which should ALWAYS be forwarded directly to origin servers Default always_direct allow|deny [!]aclname ... none

Description Build Option Usage Default

Synopsis Allows you to easily pick which ACL matches will not be cached. Requests that match the selected ACLs will always be answered from the origin server. Example below explains the tag to a clear extent.

Arguments allow/deny aclname

Allow or deny direct access Access list on which this should act

Example(s) acl local-servers dstdomain my.domain.net always_direct allow local-servers To always forward FTP requests directly, use acl FTP proto FTP always_direct allow FTP

TAG NAME

never_direct With never_direct you can use ACL elements to specify requests which should NEVER be forwarded directly to origin servers Default never_direct allow|deny [!] aclname ... none

Description Build Option Usage Default

Synopsis never_direct is the opposite of always_direct. By default all requests are not forwarded directly to the origin server. The following example explains this tag.

Arguments allow/deny aclname

Deny or allow direct access Access list on which this should act

Example(s) To force the use of a proxy for all requests, except those in your local domain use something like acl local-servers dstdomain .foo.net acl all src 0.0.0.0/0.0.0.0 never_direct deny local-servers never_direct allow all or if Squid is inside a firewall and there is local intranet servers inside the firewall then use something like: acl local-intranet dstdomain .foo.net acl local-external dstdomain external.foo.net always_direct deny local-external always_direct allow local-intranet never_direct allow all

TAG NAME

header_access

Description Build Option Usage Default

This creates a list of ACLs for each header, allowing you very fine-tuned header mangling Default header_access allow|deny header_name ... none

Synopsis This option replaces the old 'anonymize_headers' and the older 'http_anonymizer' option with something that is much more configurable. This new method creates a list of ACLs for each header, allowing you very fine-tuned header mangling. You can only specify known headers for the header name. Other headers are reclassified as 'Other'. You can also refer to all the headers with 'All'.

Arguments allow/deny header_name

Allow or deny access for the specified header name Header name

Example(s) header_access Proxy-Connection allow all

TAG NAME

header_replace This option allows you to change the contents of headers denied with header_access above Default header_replace header_name message none

Description Build Option Usage Default

Synopsis For headers denied with header_access, this tag allows to replace the content of the header using the message specified This is done by replacing them with some fixed string. This replaces the old fake_user_agent option. By default, headers are removed if denied.

Arguments header_name Header for which content to be changed message Content to be replaced with the message specified here

Example(s) header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)

TAG NAME

icon_directory

Description Build Option Usage Default

Used to specify the path to icon deirectory Default icon_directory path/directoryname icon_directory /usr/local/Squid/share/icons

Synopsis This tag is used to indicate the icon directory.

Arguments path/directoryname

Location path and name of the directory

Example(s) icon_directory /usr/local/icons

TAG NAME

error_directory

Description Build Option Usage Default

Defines path to your own error directory Default error_directory path/directoryname error_directory /usr/local/Squid/share/errors/English

Synopsis Used to specify location and name of the error directory used.

Arguments path/directoryname

Location path and name of the directory

Example(s) error_directory /usr/local/error

TAG NAME Description Build Option Usage Default

maximum_single_addr_tries This sets the maximum number of connection attempts for a host that has only one address Default maximum_single_addr_tries number maximum_single_addr_tries 3

Synopsis If the host has more number of address (for multiple-address hosts), each address is tried once. The default value is three tries, the (not recommended) maximum is 255 tries. Note: A warning message will be generated if it is set to a value greater than ten.

Arguments number

Number of tries

Example(s) maximum_single_addr_tries 5

TAG NAME Description Build Option Usage Default

snmp_port Squid serves statistics and status information via SNMP defined using this tag --enable-snmp snmp_port port_number snmp_port 3401

Synopsis By default it listens to port 3401 on the machine. If you don't wish to use SNMP, set this to "0".

Arguments port_number Port where Squid binds the socket

Example(s) snmp_port 3401

TAG NAME

snmp_access

Description Build Option Usage Default

Access to SNMP port is controlled using this tag --enable-snmp snmp_access allow|deny [!]aclname ... snmp_port 3401

Synopsis All access to the agent is denied by default.

Arguments allow/deny aclname

Allow or deny access Access list this should act on

Example(s) snmp_access allow snmppublic localhost snmp_access deny all

TAG NAME Description Build Option Usage

snmp_incoming_address, snmp_outgoing_address Defines the interface for snmp incoming and outgoing requests --enable-snmp snmp_incoming_address ip_address snmp_outgoing_address ip_address snmp_incoming_address 0.0.0.0 snmp_outgoing_address 255.255.255.255

Default

Synopsis The default snmp_incoming_address (0.0.0.0) is to listen on all available network interfaces. If snmp_outgoing_address is set to 255.255.255.255 (the default) then it will use the same socket as snmp_incoming_address. Only change this if you want to have SNMP replies sent using another address than where this Squid listens for SNMP queries. Note: snmp_incoming_address and snmp_outgoing_address can not have the same value since they both use port 3401.

Arguments ip_address

Incoming and outgoing interface address

Example(s) snmp_incoming_address 172.16.1.35 snmp_outgoing_address 172.16.1.36

TAG NAME Description Build Option Usage Default

as_whois_server This is to query AS numbers Default as_whois_server server_name as_whois_server whois.ra.net

Synopsis AS numbers are queried only when Squid starts up, not for every request.

Arguments server_name Server name for which AS numbers to be queried

Example(s) as_whois_server ra.net

TAG NAME

wccp_router

Description Build Option Usage Default

To define your WCCP "home'' router for Squid Default wccp_router ip_address wccp_router 0.0.0.0

Synopsis Setting the wccp_router to 0.0.0.0 (the default) disables WCCP.

Arguments ip_address

ip address of the router

Example(s) wccp_router 172.16.1.100

TAG NAME Description Build Option Usage Default

wccp_version Used to specify the version of Cisco IOS used in the Router Default wccp_version version_number wccp_version 4

Synopsis According to some users, Cisco IOS 11.2 only supports WCCP version 3. If you're using that version of IOS, change this value to 3.

Arguments version_number

IOS version number

Example(s) wccp_router 172.16.1.100

TAG NAME Description Build Option Usage Default

wccp_incoming_address, wccp_outgoing_address Defines the interface through which WCCP requests will be sent and received Default wccp_incoming_address ip_ddress wccp_outgoing_address ip_ddress wccp_incoming_address 0.0.0.0 wccp_outgoing_address 255.255.255.255

Synopsis wccp_incoming_address - Use this option if you require WCCP messages to be received on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface. wccp_outgoing_address - Use this option if you require WCCP messages to be sent out on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface. The default behavior is to not bind to any specific address.

Arguments ip_address

Incoming and outgoing ip_address

Example(s) wccp_incoming_address 172.16.1.36 wccp_outgoing_address 172.16.1.35

Note wccp_incoming_addressand wccp_outgoing_address can not have the same value since they both use port 2048.

DELAY POOL PARAMETERS Conceptually, delay pools are bandwidth limiters - "pools" of bandwidth that drain out as people browse the Web, and fill up at the rate specified - this can be thought of as a leaky bucket that is continually being filled. This is useful when bandwidth charges are in place, if we want to reduce bandwidth usage for web traffic. Delay Pools can do wonders when combined with ACLs. These tags permit us to limit the bandwidth of certain requests, based on any criteria. Delay behavior is selected by ACLs (low and high priority traffic, staff Vs students or student Vs authenticated student or so on). In ISPs, delay pools can be implemented in a particular network to improve the quality of service. To enable this, Squid needs to be configured with the --enable-delay-pools option.

TAG NAME Description Built Option Usage Default

delay_pools Used to specify number of delay pools --enable-delay-pools delay_pools number delay_pools 0

Synopsis This represents the number of delay pools to be used. For example, if you have one class 2 delay pool and one class 3 delays pool, you have a total of 2 delay pools.

Arguments number

Number of delay pools

Example(s) delay_pools 5

TAG NAME Description Built Option Usage Default

delay_class This defines the class of each delay pool --enable-delay-pools delay_class pool-number class-number none

Synopsis Class of the delay pool used is defined using this tag. There must be exactly one delay_class line for each delay pool. There are five categories of delay classes. class 1 Everything is limited by a single aggregate bucket. class 2 Everything is limited by a single aggregate bucket as well as an "individual" bucket chosen from bits 25 through 32 of the IP address. class 3 Everything is limited by a single aggregate bucket as well as a "network" bucket chosen from bits 17 through 24 of the IP address and a "individual" bucket chosen from bits 17 through 32 of the IP address. class 4 Everything in a class 3 delay pool, with an additional limit on a per user basis. This only takes effect if the username is established in advance - by forcing authentication in your http_access rules. class 5 Requests are grouped according their tag (see external_acl_type tag= reply). If an IP address is a.b.c.d -> bits 25 through 32 are "d" -> bits 17 through 24 are "c" -> bits 17 through 32 are "c * 256 + d"

Arguments pool-number class-number

Delay pool number Delay class number

Example(s) delay_pools 2 delay_class 1 2

( pool 1 is a class 2 pool)

delay_class 2 3

( pool 2 is a class 3 pool)

TAG NAME Description Built Option Usage Default

delay_access This is used to determine which delay pool a request falls into --enable-delay-pools delay_access delay_pool allow/deny domainname none

Synopsis The first matched delay pool is always used, i.e., if a request falls into delay pool number one, no more delay are checked, otherwise the rest are checked in order of their delay pool number until they have all been checked.

Arguments delay_pool allow/deny domainname

Delay pool number Allow or deny access Domain name on which this should act

Example(s) If you want some_big_clients in delay pool 1 and lotsa_little_clients in delay pool 2: delay_access 1 allow some_big_clients delay_access 1 deny all delay_access 2 allow lotsa_little_clients delay_access 2 deny all delay_access 3 allow authenticated_clients

TAG NAME Description Built Option Usage Default

delay_parameters Defines the parameters for a delay pool --enable-delay-pools delay_parameters pool aggregate (In general). For detailed format refer usage syntax bellow none

Synopsis Using this tag, delay parameters for each each delay pool has a number of "buckets" associated with it, as explained in the description of delay_class. Usage syntax for each class: class 1 delay_parameters pool aggregate class 2 delay_parameters pool aggregate individual class 3 delay_parameters pool aggregate network individual class 4 delay_parameters pool aggregate network individual user class 5 delay_parameters pool tag A pair of delay parameters is written restore/maximum, where restore is the number of bytes (not bits - modem and network speeds are usually quoted in bits) per second placed into the bucket, and maximum is the maximum number of bytes which can be in the bucket at any time.

Arguments pool

Delay pool number - ie, a number between 1 and the number specified in delay_pools as used in delay_class lines.

aggregate individual user tag

the "delay parameters" for the aggregate bucket (class 1, 2, 3). the "delay parameters" for the network buckets (class 3). user on which this condition is applied the delay parameters for the tag buckets (class 5).

Example(s) If delay pool number 1 is a class 2 delay pool is being used to strictly limit each host to 64kbps (plus overheads), with no overall limit, the

usage is, delay_parameters 1 -1/-1 8000/8000 For a class 4 delay pool, each user will be limited to 128 Kbs no matter how many workstations they are logged into: delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000

TAG NAME Description

delay_initial_bucket_level Used to determine how much data is put in each bucket when Squid starts, is reconfigured, or first notices a host accessing it --enable-delay-pools delay_initial_bucket_level percent(0-100) delay_initial_bucket_level 50

Built Option Usage Default

Synopsis The initial bucket percentage is used to determine how much is put in each bucket when Squid starts, is reconfigured, or first notices a host accessing it. In class 2 and class 3, individual hosts and networks only have buckets associated with them once they have been "seen" by Squid

Arguments percent

Initial bucket level in percentage

Example(s) delay_initial_bucket_level 20

TAG NAME

Description Built Option Usage Default

incoming_icp_average, incoming_http_average, incoming_dns_average, min_icp_poll_cnt, min_dns_poll_cnt, min_http_poll_cnt Using these tags, average number of ICP, HTTP requests, their polling rates can be specified --enable-delay-pools Tagname number incoming_icp_average 6 incoming_http_average 4 incoming_dns_average 4 min_icp_poll_cnt 8 min_dns_poll_cnt 8 min_http_poll_cnt 8

Synopsis INCOMING sockets are the ICP and HTTP ports. Squid need to check these fairly regularly, but how often? When the load increases, Squid want to check the incoming sockets more often. If Squid have a lot of incoming ICP, then it needs to check these sockets more than if we just have HTTP. These change of algorithms by Squid are decided by these tags.

Arguments Number

Number to change the algorithm used by Squid

Example(s) incoming_icp_average 3 incoming_http_average 2 incoming_dns_average 3 min_icp_poll_cnt 8 min_dns_poll_cnt 6 min_http_poll_cnt 6

TAG NAME

max_open_disk_fds

Description Built Option Usage Default

Defines number of file descriptors to be handled directly Default max_open_disk_fds number max_open_disk_fds 0

Synopsis To avoid having disk as the I/O bottleneck Squid can optionally bypass the on-disk cache if more than this amount of disk file descriptors are open. A value of 0 indicates no limit.

Arguments number

Maximum number of file descriptors

Example(s) max_open_disk_fds 5

TAG NAME Description Built Option Usage Default

offline_mode When enabled, Squid will never try to validate cached objects. Default offline_mode on|off offline_mode off

Synopsis offline_mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).

Arguments on/off

Enable or disable offline_mode feature

TAG NAME Description Built Option Usage Default

uri_whitespace Used to specify the action of Squid when the requests that have whitespace characters in the URI Default uri_whitespace action uri_whitespace strip

Synopsis When the requested URL's contains whitespaces, them this tag is used to specify the action of Squid on that URL's. Actions are shown in the table below. Actions: strip The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. deny The request is denied. The user receives an "Invalid Request" message. allow The request is allowed and the URI is not changed. The whitespace characters remain in the URI. Note the whitespace is passed to redirector processes if they are in use. encode The request is allowed and the whitespace characters are encoded according to RFC1738. This could be considered a violation of the HTTP/1.1 RFC because proxies are not allowed to rewrite URI's. chop The request is allowed and the URI is chopped at the first whitespace. This might also be considered a violation.

Arguments acion

Action of Squid on identifying the white spaces

Example(s) uri_whitespace deny

TAG NAME

broken_posts

A list of ACL elements which, if matched, causes Squid to send an extra CRLF pair after the body of a PUT/POST request Default broken_posts allow|deny aclname ... none

Description Built Option Usage Default

Synopsis Squid will send an extra CLRF pair after the body of a PUT/POST request for the access list specified is matched. Some HTTP servers has broken implementations of PUT/POST, and rely on an extra CRLF pair sent by some WWW clients.

Arguments allow/deny aclname

Allow or deny access list Access list name

Example(s) acl buggy_server url_regex ^http://.... broken_posts allow buggy_server

TAG NAME Description Built Option Usage Default

mcast_miss_addr When enabled,every "cache miss" URL will be sent out on the specified multicast address -DMULTICAST_MISS_STREAM mcast_miss_addr ip_address mcast_miss_addr 255.255.255.255

Synopsis You will be needing the "cache miss" URL to be sent on a specified multicast address. This tag provides the option. Note: Do not enable this option unless you are are absolutely certain you understand what you are doing.

Arguments ip_address

ip address through which the URL to be sent

Example(s) mcast_miss_addr 172.16.1.255

TAG NAME

mcast_miss_ttl Defines time-to-live value for packets multicasted when multicasting off cache miss URLs is enabled -DMULTICAST_MISS_TTL mcast_miss_ttl time-units mcast_miss_ttl 16

Description Built Option Usage Default

Synopsis The value specified in this tag specifies the time-to-live period for packets multicated when multicasting off cache miss URLs is enabled. By default this is set to 'site scope', i.e. 16.

Arguments time-units

Time to Live period

Example(s) mcast_miss_ttl 10

TAG NAME

mcast_miss_port

Description Built Option Usage Default

Used to define the port number to be used in conjunction with mcast_miss_addr. -DMULTICAST_MISS_STREAM mcast_miss_port portnumber mcast_miss_port 3135

Synopsis Port to be used for mcast_miss_addr. Note: This tag is used only when you enable mcast_miss_addr.

Arguments portnumber

Port number on which Squid binds the socket

Example(s) mcast_miss_port 3100

TAG NAME Description Built Option Usage Default

mcast_miss_encode_key This is the encryption key used in the multicast miss stream -DMULTICAST_MISS_STREAM mcast_miss_encode_key key mcast_miss_encode_key XXXXXXXXXXXXXXXX

Synopsis The URLs that are sent in the multicast miss stream are encrypted. This is the encryption key.

Arguments key

Encription key to be used

TAG NAME Description Built Option Usage Default

nonhierarchical_direct Enable/disable Squid to send non-hierarchial requests to parents Default nonhierarchical_direct on|off nonhierarchical_direct on

Synopsis By default, Squid will send any non-hierarchical requests (matching hierarchy_stoplist or not cacheable request type) direct to origin servers. If you set this to off, then Squid will prefer to send these requests to parents. Note that in most configurations, by turning this off you will only add latency to this request without any improvement in global hit ratio. If you are inside a firewall then see never_direct instead of this directive.

Arguments on/off

Enable or disable sending non-hierarchal requests

TAG NAME Description Built Option Usage Default

prefer_direct For enabling Squid to use parent if direct going is failed Default prefer_direct on|off prefer_direct off

Synopsis Normally Squid tries to use parents for most requests. If you by some reason like it to first try going direct and only use a parent if going direct fails then set this to on. By combining nonhierarchical_direct off and prefer_direct on you can set up Squid to use a parent as a backup path if going direct fails.

Arguments on/off

Enable or disable preferer_direct option

TAG NAME Description Built Option Usage Default

strip_query_terms For tripping query items before logging Default strip_query_terms on|off strip_query_terms on

Synopsis Squid by default does not log query parameters. These parameters are however forwarded to the server verbatim. If we want to enable logging of query parameters, the strip_query_terms directive can be used. By default, Squid strips query terms from requested URLs before logging. This protects your user's privacy

Arguments on/off

Enable or disable query parameters from logging

TAG NAME Description Built Option Usage Default

coredump_dir Squid leaves core files in the directory specified Default coredump_dir directory coredump_dir none

Synopsis By default Squid leaves core files in the directory from where it was started. If you set coredump_dir to a directory that exists, Squid will chdir() to that directory at startup and coredump files will be left there.

Arguments directory

Directory for used for core dump

Example(s) coredump_dir /usr/local

TAG NAME Description Built Option Usage Default

redirector_bypass Used for bypassing the request Default redirector_bypass on|off redirector_bypass off

Synopsis When this is 'on', a request will not go through the redirector if all redirectors are busy. If this is 'off' and the redirector queue grows too large, Squid will exit with a FATAL error and ask you to increase the number of redirectors. You should only enable this if the redirectors are not critical to your caching system. If you use redirectors for access control, and you enable this option, then users may have access to pages that they should not be allowed to request.

Arguments on/off

Enable or disable redirector_bypass

TAG NAME

ignore_unknown_nameservers

Description Built Option Usage Default

Enable or disable responses from unknown nameservers Default ignore_unknown_nameservers on|off ignore_unknown_nameservers on

Synopsis By default Squid checks that DNS responses are received from the same IP addresses that they are sent to. If they don't match, Squid ignores the response and writes a warning message to cache.log. You can allow responses from unknown nameservers by setting this option to 'off'.

Arguments on/off

Enable or disable

TAG NAME Description Built Option Usage Default

digest_generation This controls whether the server will generate a Cache Digest of its contents --enable-cache-digests digest_generation on|off digest_generation on

Synopsis This tag enables or disable the server generating a cache digest of its contents. By default, Cache Digest generation is enabled if Squid is compiled with USE_CACHE_DIGESTS defined.

Arguments on/off

Enable or disable the server generating a cache digest of its contents

TAG NAME Description Built Option Usage Default

digest_bits_per_entry Defines number of bits of server's cache digest to be associated with the digest entry --enable-cache-digests digest_bits_per_entry number digest_bits_per_entry 5

Synopsis This is the number of bits of the server's Cache Digest which will be associated with the Digest entry for a given HTTP Method and URL (public key) combination.

Arguments number

Number of bits per entry

Example(s) digest_bits_per_entry 5

TAG NAME Description Built Option Usage Default

digest_rebuild_period This is the number of seconds between Cache Digest rebuilds --enable-cache-digests digest_rebuild_period time(seconds) digest_rebuild_period 1 hour

Synopsis This tag defines the time period between successive cache digest rebuilds.

Arguments time

Time period between rebuilds

Example(s) digest_rebuild_period 2 hour

TAG NAME Description Built Option Usage Default

digest_rewrite_period This is the number of seconds between Cache Digest writes to disk. --enable-cache-digests digest_rewrite_period time(seconds) digest_rewrite_period 1 hour

Synopsis This tag specifies the time period between successive writing to disk by cache digest .

Arguments time

Time period between successive writes

Example(s) digest_rewrite_period 2 hour

TAG NAME Description Built Option Usage Default

digest_swapout_chunk_size This is the number of bytes of the Cache Digest to write to disk at a time --enable-cache-digests digest_swapout_chunk_size bytes digest_swapout_chunk_size 4096 bytes

Synopsis Using this tag, total number of bytes to be written to the disk at a time by the cache digest is specified.

Arguments bytes

Total number of bytes to be written to the disk in single time

Example(s) digest_swapout_chunk_size 2048 bytes

TAG NAME Description Built Option Usage Default

digest_rebuild_chunk_percentage This specifies the percentage of the Cache Digest to be scanned at a time --enable-cache-digests digest_rebuild_chunk_percentage percent(0-100) digest_rebuild_chunk_percentage 10

Synopsis Using this tag, we can specify the percentage of the cache disgest to be scanned at a time.

Arguments percent

Percentage of cache digest to be scanned at a time

Example(s) digest_rebuild_chunk_percentage 20

TAG NAME

chroot

Description Built Option Usage Default

Use this to have Squid do a chroot() while initializing Default chroot none

Synopsis Squid by default does not fully drop root privileges because it may be required during reconfigure.So use this directive to have Squid do a chroot() while initializing. This also causes Squid to fully drop root privileges after initializing . Squid only drops all root privilegies when chroot_dir is used. Without chroot_dir it runs as root with effective user nobody. This means, for example, that if you use a HTTP port less than 1024 and try to reconfigure, you will get an error.

Example(s) chroot

TAG NAME Description Built Option Usage

client_persistent_connections, server_persistent_connections Enable/disable persistent connection support for clients and servers Default client_persistent_connections on|off server_persistent_connections on|off client_persistent_connections on server_persistent_connections on

Default

Synopsis By default, Squid uses persistent connections (when allowed) with its clients and servers. You can use these options to disable persistent connections with clients and/or servers.

Arguments on/off

Enable or disable persistent connections

TAG NAME

pipeline_prefetch Used to boost the performance of pipelined requests to closer match that of a non-proxied environment Default pipeline_prefetch on|off pipeline_prefetch off

Description Built Option Usage Default

Synopsis Squid can try to fetch up to two requests in parallell from a pipeline. Defaults to off for bandwidth management and access logging reasons.

Arguments on/off

Enable or disable pipeline prefetch

TAG NAME

extension_methods

You can add up to 20 additional request "extension" methods here for enabling Squid to allow access unknown methods Default extension_methods methods none

Description Built Option Usage Default

Synopsis Squid only knows about standardized HTTP request methods. Unknown methods are denied, unless you add them to this tag.

Arguments methods

New methods

Example(s) extension_methods SEARCH

TAG NAME

request_entities Set this directive to on if you have clients which insists on sending request entities in GET or HEAD requests Default request_entities on|off request_entities off

Description Built Option Usage Default

Synopsis Squid defaults to deny GET and HEAD requests with request entities, as the meaning of such requests are undefined in the HTTP standard even if not explicitly forbidden. Set this directive to on if you have clients which insists on sending request entities in GET or HEAD requests

Arguments on/off

Enable or disable

TAG NAME Description Built Option Usage Default

high_response_time_warning Enables Squid to print a WARNING to get the administrators attention Default high_response_time_warning time(msec) high_response_time_warning 0

Synopsis If the one-minute median response time exceeds this value, Squid prints a WARNING with debug level 0 to get the administrators attention. The value is in milliseconds.

Arguments time

Time after which warning is printed

Example(s) high_response_time_warning 20

TAG NAME

high_page_fault_warning

Description Built Option Usage Default

Enables Squid to print a WARNING to get the administrators attention Default high_page_fault_warning time high_page_fault_warning 0

Synopsis If the one-minute average page fault rate exceeds this value, Squid prints a WARNING with debug level 0 to get the administrators attention. The value is in page faults per second.

Arguments time

Time after which warning is printed

Example(s) high_page_fault_warning 10

TAG NAME Description Built Option Usage Default

high_memory_warning Enables Squid to print a WARNING to get the administrators attention --enable-snmp high_memory_warning number high_memory_warning 0

Synopsis If the memory usage (as determined by mallinfo) exceeds value, Squid prints a WARNING with debug level 0 to get the administrators attention.

Arguments time

Time after which warning is printed

Example(s) high_memory_warning 20

TAG NAME Description Built Option Usage Default

store_dir_select_algorithm Used to specify the algorithm for store directory selection --enable-snmp store_dir_select_algorithm algorithm-type store_dir_select_algorithm least-load

Synopsis As there are more number of store directories, this tag allos you to specify the algorithm by which Squid will select the store directories.

Arguments algorithm-type

Algorithm to be used

Example(s) store_dir_select_algorithm round-robin

TAG NAME

ie_refresh

Description

Turning this on provides a partial fix to the problem with Microsoft Internet Explorer up until version 5.5 Service Pack 1 which has an issue with transparent proxies, wherein it is impossible to force a refresh Default ie_refresh on|off ie_refresh off

Built Option Usage Default

Synopsis Turning this on provides a partial fix to the problem, by causing all IMS-REFRESH requests from older IE versions to check the origin server for fresh content. This reduces hit ratio by some amount (~10% in my experience), but allows users to actually get fresh content when they want it. Note that because Squid cannot tell if the user is using 5.5 or 5.5SP1, the behavior of 5.5 is unchanged from old versions of Squid (i.e. a forced refresh is impossible). Newer versions of IE will, hopefully, continue to have the new behavior and will be handled based on that assumption. This option defaults to the old Squid behavior, which is better for hit ratios but worse for clients using IE, if they need to be able to force fresh content.

Arguments on/off

Enable or disable this feature

TAG NAME Description

vary_ignore_expire This option enables Squid to ignore, immediate expiry time with no cache-control header when requested by a HTTP/1.0 client Default vary_ignore_expire on|off vary_ignore_expire off

Built Option Usage Default

Synopsis Many HTTP servers supporting Vary gives such objects immediate expiry time with no cache-control header when requested by a HTTP/1.0 client. This tag enables Squid to ignore such expiry times until HTTP/1.1 is fully implemented. Note: This may eventually cause some varying objects not intended for caching to get cached.

Arguments on/off

Enable or disable vary_ignore_expire feature

TAG NAME Description

sleep_after_fork When this is set to a non-zero value, the main Squid process sleeps the specified number of microseconds after a fork() system call Default sleep_after_fork time(microseconds) sleep_after_fork 0

Built Option Usage Default

Synopsis This sleep may help the situation where your system reports fork() failures due to lack of (virtual) memory. Note, however, that if you have lot of child processes, then these sleep delays will add up and your Squid will not service requests for some amount of time until all the child processes have been started.

Arguments time

Sleep time period

Example(s) sleep_after_fork 20